The primary purpose of a Certificate Library (CL) module is to perform syntactic operations on a specific certificate format and its associated Certificate Revocation List (CRL) format. This encapsulation allows applications and TP modules to focus on the usage of certificates rather than the mechanics of format manipulation.

The syntactic operations on certificates include field management operations and cryptographic operations. Field management operations allow an application to input fields into a certificate and retrieve fields from a certificate without knowledge of the certificate's content organization or encoding format. Cryptographic operations on certificates encode the proper fields of a certificate in the proper order prior to executing certificate signing and verification.

The syntactic operations on CRLs mirror the operations on their corresponding certificate format. CRL field management operations allow the insertion and retrieval of CRL fields, including addition and removal of certificates from the revocation list. The CL module manages the translation from the certificate to be revoked to its representation in the CRL. The CL module also properly encodes the necessary fields of a CRL prior to signing and verification.

Each CL module may implement some or all of these functions on certificates and CRLs. The available functions are registered with OCSF when the module is attached. Each CL module should be accompanied with information specifying supported functions, nonsupported functions, and module-specific passthrough functions. It is the responsibility of the application developer to obtain and use this information when developing applications using a selected CL module.

A CL module's functionality may be partitioned, as appropriate, between the local client and a remote server. For example, a CL module may redirect the CSSM_CL_CertSign function to a Certificate Authority (CA) server application, but perform the CSSM_CL_CertGetKeyInfo function as a local operation.

CL modules manipulate memory-based objects only. The persistence of certificates, CRLs, and other security-related objects is an independent property of these objects. It is the responsibility of the application and/or the TP module to use data storage modules to make objects persistent (if appropriate).